I'm trying to solve SIP issues with my new setup - my VoIP gateway won't register to VoIP server when connection goes thru PPPoE client configured on WAN port.
What's strange - when I use another router to act as a PPPoE client (thus disabling PPPoE on MikroTik), connected to the same port, everything is fine (second router is acting as a WAN for MikroTik).
Setup:
1. ethernet-1-fiber is a WAN port with ONT device connected to it
2. WAN port has three VLANs: interface-vlan-internet, interface-vlan-iptv and interface-vlan-vod
3. interface-vlan-internet has PPPoE client (enabled by default)
4. ethernet-1-fiber has DHCP client when ONT is connected to second router (disabled by default)
5. SIP is using UDP
Summary:
1. Internet on interface-vlan-internet always works, I'm having no issues with that
2. When ONT is connected to ethernet-1-fiber and PPPoE client is enabled the SIP registration on 5060 port doesn't work (network sniffer shows zero received packages)
4. When another router (acting as a WAN) is connected to ethernet-1-fiber with DHCP enabled and PPPoE client disabled, SIP registration on 5060 does work
5. SIP ALG is disabled, but enabling it / changing it's settings doesn't fix the issue
Does anyone has some ideas what could be wrong with that PPPoE setup? Thank you :)!
Simplified configuration:
Code: Select all
/interface bridge add add-dhcp-option82=yes dhcp-snooping=yes fast-forward=no igmp-snooping=yes name=bridge-lan vlan-filtering=yes
/interface bridge add igmp-snooping=yes name=bridge-vod-iptv pvid=8 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] name=ethernet-1-fiber
/interface ethernet set [ find default-name=ether2 ] name=ethernet-2-switch-trunk
/interface ethernet set [ find default-name=ether3 ] name=ethernet-3-iptv
/interface ethernet set [ find default-name=ether4 ] name=ethernet-4
/interface ethernet set [ find default-name=ether5 ] name=ethernet-5
/interface ethernet set [ find default-name=ether6 ] name=ethernet-6
/interface ethernet set [ find default-name=ether7 ] name=ethernet-7
/interface ethernet set [ find default-name=ether8 ] name=ethernet-8
/interface ethernet set [ find default-name=ether9 ] name=ethernet-9
/interface ethernet set [ find default-name=ether10 ] name=ethernet-10
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes name=sfp-sfpplus
/interface vlan add interface=bridge-lan name=interface-vlan-default vlan-id=1
/interface vlan add interface=bridge-vod-iptv name=interface-vlan-iptv vlan-id=80
/interface vlan add interface=ethernet-1-fiber name=interface-vlan-internet vlan-id=35
/interface vlan add interface=ethernet-1-fiber name=interface-vlan-iptv vlan-id=839
/interface vlan add interface=ethernet-1-fiber name=interface-vlan-vod vlan-id=838
/interface vlan add interface=bridge-lan name=interface-vlan-sat vlan-id=70
/interface vlan add interface=bridge-lan name=interface-vlan-voip vlan-id=40
/interface pppoe-client add add-default-route=yes interface=interface-vlan-internet keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-fiber-ipv4 user=XXXXXX
/interface ethernet switch port set 0 default-vlan-id=0
/interface ethernet switch port set 1 default-vlan-id=0
/interface ethernet switch port set 2 default-vlan-id=0
/interface ethernet switch port set 3 default-vlan-id=0
/interface ethernet switch port set 4 default-vlan-id=0
/interface ethernet switch port set 5 default-vlan-id=0
/interface ethernet switch port set 6 default-vlan-id=0
/interface ethernet switch port set 7 default-vlan-id=0
/interface ethernet switch port set 8 default-vlan-id=0
/interface ethernet switch port set 9 default-vlan-id=0
/interface ethernet switch port set 10 default-vlan-id=0
/interface ethernet switch port set 11 default-vlan-id=0
/interface list add name=list-wan
/interface list add name=list-lan-fully-trusted
/interface list add name=list-lan-untrusted
/interface list add name=list-lan-partially-trusted
/interface list add include=list-lan-fully-trusted,list-lan-partially-trusted,list-lan-untrusted name=list-lan
/interface list add name=list-vod-iptv
/interface list add name=list-deny-internet
/ip dhcp-client option add code=60 name=vendor-class-identifier value="'sagemcom'"
/ip dhcp-client option add code=61 name=dhcp-client-identifier value=0x01XXXXXX
/ip dhcp-client option add code=77 name=user-class value=0x2546535644534c5f66756e626f782e4d4c54562e736f66746174686f6d652e46756e626f7836
/ip pool add name=pool-default ranges=192.168.1.75-192.168.1.235
/ip pool add name=pool-vlan-voip ranges=192.168.4.75-192.168.4.235
/ip pool add name=pool-vlan-sat ranges=192.168.7.75-192.168.7.235
/ip pool add name=pool-vlan-iptv ranges=192.168.8.75-192.168.8.235
/ip dhcp-server add address-pool=pool-default disabled=no interface=bridge-lan lease-time=12h name=dhcp-server-default
/ip dhcp-server add address-pool=pool-vlan-voip disabled=no interface=interface-vlan-voip lease-time=12h name=dhcp-server-vlan-voip
/ip dhcp-server add address-pool=pool-vlan-sat disabled=no interface=interface-vlan-sat lease-time=12h name=dhcp-server-vlan-sat
/ip dhcp-server add address-pool=pool-vlan-iptv disabled=no interface=interface-vlan-iptv lease-time=12h name=dhcp-server-vlan-iptv
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (interface-vlan-vod) is not slave
add action=set-priority chain=output new-priority=4 out-interface=interface-vlan-vod passthrough=yes
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (interface-vlan-iptv) is not slave
add action=set-priority chain=output new-priority=5 out-interface=interface-vlan-iptv passthrough=yes
/interface bridge port add bridge=bridge-lan interface=ethernet-2-switch-trunk
/interface bridge port add bridge=bridge-vod-iptv interface=ethernet-3-iptv
/interface bridge port add bridge=bridge-lan interface=ethernet-4
/interface bridge port add bridge=bridge-lan interface=ethernet-5
/interface bridge port add bridge=bridge-lan interface=ethernet-6
/interface bridge port add bridge=bridge-lan interface=ethernet-7
/interface bridge port add bridge=bridge-lan interface=ethernet-8
/interface bridge port add bridge=bridge-lan interface=ethernet-9
/interface bridge port add bridge=bridge-lan interface=ethernet-10
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings set discover-interface-list=!dynamic protocol=cdp,lldp
/ip settings set rp-filter=strict tcp-syncookies=yes
/interface bridge vlan add bridge=bridge-lan untagged=bridge-lan,ethernet-2-switch-trunk vlan-ids=1
/interface bridge vlan add bridge=bridge-lan tagged=bridge-lan,ethernet-2-switch-trunk vlan-ids=40
/interface bridge vlan add bridge=bridge-lan tagged=bridge-lan,ethernet-2-switch-trunk vlan-ids=10
/interface bridge vlan add bridge=bridge-lan tagged=bridge-lan,ethernet-2-switch-trunk vlan-ids=70
/interface bridge vlan add bridge=bridge-vod-iptv tagged=bridge-vod-iptv,ethernet-2-switch-trunk untagged=ethernet-3-iptv vlan-ids=80
/interface list member add interface=ethernet-1-fiber list=list-wan
/interface list member add interface=interface-vlan-default list=list-lan-fully-trusted
/interface list member add interface=interface-vlan-sat list=list-lan-untrusted
/interface list member add interface=interface-vlan-voip list=list-lan-partially-trusted
/interface list member add interface=bridge-lan list=list-lan-fully-trusted
/interface list member add interface=pppoe-fiber-ipv4 list=list-wan
/interface list member add interface=interface-vlan-iptv list=list-vod-iptv
/interface list member add interface=interface-vlan-vod list=list-vod-iptv
/interface list member add interface=interface-vlan-iptv list=list-vod-iptv
/interface list member add interface=interface-vlan-internet list=list-wan
/interface list member add interface=ethernet-3-iptv list=list-vod-iptv
/interface list member add interface=interface-vlan-sat list=list-deny-internet
/ip address add address=192.168.1.1/24 interface=bridge-lan network=192.168.1.0
/ip address add address=192.168.4.1/24 interface=interface-vlan-voip network=192.168.4.0
/ip address add address=192.168.7.1/24 interface=interface-vlan-sat network=192.168.7.0
/ip address add address=192.168.8.1/24 interface=interface-vlan-iptv network=192.168.8.0
/ip dhcp-client add add-default-route=special-classless default-route-distance=210 dhcp-options=vendor-class-identifier,dhcp-client-identifier,user-class,hostname disabled=no interface=bridge-vod-iptv use-peer-dns=no use-peer-ntp=no
/ip dhcp-client add disabled=no interface=ethernet-1-fiber use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dhcp-server network add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1 netmask=24
/ip dhcp-server network add address=192.168.7.0/24 dns-server=192.168.7.1 gateway=192.168.7.1 netmask=24
/ip dhcp-server network add address=192.168.8.0/24 dns-server=192.168.8.1 gateway=192.168.8.1 netmask=24
/ip dns set allow-remote-requests=yes cache-max-ttl=1h max-concurrent-queries=250 max-concurrent-tcp-sessions=50 servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip firewall address-list add address=0.0.0.0/8 list=list-bogus-ipv4
/ip firewall address-list add address=172.16.0.0/12 list=list-bogus-ipv4
/ip firewall address-list add address=192.168.0.0/16 list=list-bogus-ipv4
/ip firewall address-list add address=10.0.0.0/8 list=list-bogus-ipv4
/ip firewall address-list add address=169.254.0.0/16 list=list-bogus-ipv4
/ip firewall address-list add address=127.0.0.0/8 list=list-bogus-ipv4
/ip firewall address-list add address=224.0.0.0/4 list=list-bogus-ipv4
/ip firewall address-list add address=198.18.0.0/15 list=list-bogus-ipv4
/ip firewall address-list add address=192.0.0.0/24 list=list-bogus-ipv4
/ip firewall address-list add address=192.0.2.0/24 list=list-bogus-ipv4
/ip firewall address-list add address=198.51.100.0/24 list=list-bogus-ipv4
/ip firewall address-list add address=203.0.113.0/24 list=list-bogus-ipv4
/ip firewall address-list add address=100.64.0.0/10 list=list-bogus-ipv4
/ip firewall address-list add address=240.0.0.0/4 list=list-bogus-ipv4
/ip firewall address-list add address=192.88.99.0/24 list=list-bogus-ipv4
/ip firewall address-list add address=83.0.8.193 list=list-voip
/ip firewall address-list add address=83.0.8.244 list=list-voip
/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="accept ICMP" log=yes log-prefix=icmp protocol=icmp
/ip firewall filter add action=accept chain=input comment="accept IKE" dst-port=500,4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
/ip firewall filter add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
/ip firewall filter add action=accept chain=input comment="accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!list-lan
/ip firewall filter add action=jump chain=forward comment="detect DDOS" connection-state=new in-interface-list=list-wan jump-target=ddos-detect
/ip firewall filter add action=return chain=ddos-detect dst-limit=32,64,src-and-dst-addresses/10s
/ip firewall filter add action=add-dst-to-address-list address-list=list-ddos-dst address-list-timeout=10m chain=ddos-detect
/ip firewall filter add action=add-src-to-address-list address-list=list-ddos-src address-list-timeout=10m chain=ddos-detect
/ip firewall filter add action=drop chain=forward connection-state=new dst-address-list=list-ddos-dst src-address-list=list-ddos-src
/ip firewall filter add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="allow fully trusted to partially trusted VLAN communication" in-interface-list=list-lan-fully-trusted out-interface-list=list-lan-partially-trusted
/ip firewall filter add action=drop chain=forward comment="drop fully trusted to untrusted VLAN communication" in-interface-list=list-lan-fully-trusted out-interface-list=list-lan-untrusted
/ip firewall filter add action=drop chain=forward comment="drop partially trusted to fully trusted VLAN communication" in-interface-list=list-lan-partially-trusted out-interface-list=list-lan-fully-trusted
/ip firewall filter add action=drop chain=forward comment="drop partially trusted to untrusted VLAN communication" in-interface-list=list-lan-partially-trusted out-interface-list=list-lan-untrusted
/ip firewall filter add action=drop chain=forward comment="drop untrusted to fully trusted VLAN communication" in-interface-list=list-lan-untrusted out-interface-list=list-lan-fully-trusted
/ip firewall filter add action=drop chain=forward comment="drop untrusted to partially trusted VLAN communication" in-interface-list=list-lan-untrusted out-interface-list=list-lan-partially-trusted
/ip firewall filter add action=drop chain=forward comment="drop internet communication from denied interfaces" in-interface-list=list-deny-internet out-interface-list=list-wan
/ip firewall filter add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=forward comment="accept HIP" protocol=139
/ip firewall filter add action=accept chain=forward comment="accept IKE" dst-port=500,4500 protocol=udp
/ip firewall filter add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
/ip firewall filter add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
/ip firewall filter add action=accept chain=forward comment="accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=list-wan
/ip firewall filter add action=drop chain=forward comment="drop tries to reach not public addresses from LAN" dst-address-list=list-bogus-ipv4 in-interface-list=list-lan out-interface-list=!list-lan
/ip firewall filter add action=drop chain=forward comment="drop incoming from internet which is not public IP" in-interface-list=list-wan src-address-list=list-bogus-ipv4
/ip firewall mangle add action=set-priority chain=postrouting comment="DSCP tagging" new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=list-wan src-address-type=""
/ip firewall nat add action=masquerade chain=srcnat out-interface=bridge-vod-iptv src-address-type=""
/ip firewall service-port set ftp ports=21,2121
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc ports=6667,6697
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/routing igmp-proxy set quick-leave=yes
/routing igmp-proxy interface add alternative-subnets=0.0.0.0/0 interface=bridge-vod-iptv upstream=yes
/routing igmp-proxy interface add alternative-subnets=0.0.0.0/0 interface=interface-vlan-iptv